Adobe Systems has issued a critical update to Acrobat and Reader, repairing a bevy of vulnerabilities in the software. The company is also warning about ongoing attacks targeting zero-day vulnerabilities in its ColdFusion Web application development platform.
The software maker addressed 26 vulnerabilities in its PDF creation and viewing program, among the most frequently targeted programs by attackers. The update impacts all Adobe Reader and Acrobat versions 11.5.502.146 and earlier on Windows and Macintosh and versions 22.214.171.1241 on Linux systems. Adobe also issued an update for Android devices.
The coding errors range from critical memory flaws to two bugs that can enable an attacker to bypass security settings. In its security advisory issued Tuesday, Adobe gave the update a high-priority rating for Windows users.
"These updates address a vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in its advisory.
Adobe is seeing no attacks currently targeting the errors, but vulnerability management experts say that once an update is released, it doesn't take long for attackers to reverse engineer the update and create exploits targeting the vulnerabilities. An attacker typically needs to pass a malicious PDF file to a victim in order to exploit the errors. A successful attack would enable an attacker to execute malicious code and download additional malware onto a victim's machine to steal data.
Adobe Reader X and Acrobat X are designed with additional security controls, making it more difficult for cybercriminals to carry out a successful attack. But, two of the errors, CVE-2013-0622 and CVE-2013-0624, could enable an attacker to bypass security restrictions. Adobe credited detection of the coding errors to security researchers Billy Rios, Federico Lanusse, Mauro Gentile and Joel Geraci.
The software maker is also warning Windows, Macintosh and UNIX ColdFusion users that vulnerabilities in the development platform are being exploited in the wild. Adobe issued a security advisory Jan. 4, warning developers that the platform contained three critical vulnerabilities. An attacker can remotely circumvent authentication controls and potentially take control of an affected server, Adobe said. The errors also enable an attacker to access restricted directors and view information on a compromised server.
"We are in the process of finalizing a fix for the issues and expect a hotfix will be available on January 15, 2013," Adobe said.
Adobe also issued a critical Flash Player update, repairing a remote code execution vulnerability. The update affects Flash Player for Windows, Linux, Android and Adobe AIR. Flash Player installed with Google Chrome and Internet Explorer 10 will be automatically updated, Adobe said.
Adobe credited Google Security Team engineers for finding the coding error.
PUBLISHED JAN. 8, 2013